Podcasts

Day one of ITRadio's AusCERT conference coverage is up and ready! You can go to our special AusCERT sub-site to download interviews and presentations. We've already got heaps on the site (www.itradio.com.au/AusCERT08/) for you to go and grab, including an interview with the former technical director of the NSA, Brian Snow.

Click here to visit ITRadio's special AusCERT site...

In this AusCERT presentation by AT&T staffer and security legend Bill Cheswick says passwords, as they exist today, are dead. While it might not be the most original topic, Cheswick's presentation is a lot of fun.

He worked on early firewalls and honeypots at Bell labs in the 80s, and has since done a bunch of interesting stuff including thew internet mapping project. Have you ever heard of a network being described as crunchy on the outside and gooey on the inside? Well, that came from a USENIX paper Cheswick wrote in the early 90s. He's also an excellent speaker.

So here's his AusCERT talk, where he spends the first minute and a half reading from various password policies... bear with him though, it's a great presentation.

You may or may not have heard of the Shadowserver foundation. It's a volunteer run organisation designed to track malware, botnet activity and electronic fraud. Richard Perlotto runs the technology and operational side of the organisation, but his day job is as a security advisor to Cisco Systems.

Before that, he ran Security Operations for Cisco worldwide for almost four years. In this AusCERT presentation, Perlotto talks about what the Shadowserver foundation actually does -- how it collects its data and what it actually does with that information once it has it.

This presentation is by the former Director of Information Assurance for America's National Security Agency, Brian Snow. He joined the NSA in 1971 after founding the computer science department at Ohio University in the 60s. He spent his first 20 years at the NSA directing research and development into cryptographic and secure systems. He also created and managed NSA's secure systems design division in the 80s.

In this presentation, Snow argues commercial software lacks quality, reliability and safety -- in other words, we can do better. So here it is, former NSA technical director Brian Snow's presentation to AusCERT's 2008 conference on the Gold Coast.

UPDATE: Brian Snow was the Technical Director of IAD, not the Director...

In this interview, Risky Business host Patrick Gray talks to Bill Cheswick, who's been doing security research since the 1980s. He was a speaker at AusCERT this year, and you can find his talk here.

The interview is pretty wide ranging, touching on new approaches to security in desktop virtualisation, the quality of Brian Snow's AusCERT address and much more. Cheswick is a lot of fun, so check it out!

In this interview, Risky Business host Patrick Gray discusses Microsoft's Security Intelligence Report with the company's general manager of product security, George Stathakopoulos, and Ziv Mador -- a response coordinator for Microsoft's Malware Protection Centre.

These guys have access to intel from 450 million machines. You can read the report here.

The following is an interview with the former director of Information Assurance for America's National Security Agency, Brian Snow. He joined the NSA in 1971 after founding the computer science department at Ohio University in the 60s. He spent his first 20 years at the NSA directing research and development into cryptographic and secure systems. He also created and managed NSA's secure systems design division in the 80s.

In this interview Snow argues software companies need to back off their time-to-market driven policies and focus more on quality. You can listen to his AusCERT talk by clicking here.

UPDATE: Brian Snow was the Technical Director of IAD, not the Director...

Traditionally, AusCERT has conducted an annual corporate and government computer crime survey. But last year the Australian Institute of Criminology decided it was going to do a bigger, better funded survey... so AusCERT has mixed things up and this year released a report on home user security.

I spoke to AusCERT's threats and assessments manager Kathryn Kerr about the home user survey, which can be downloaded here.

As you'll hear, AusCERT was surprised by some of the findings -- for example, 62% of respondents would like their ISPs to disconnect from the Internet if malware is detected on their systems... So here it is now, a chat with Kathryn Kerr about home user security and AusCERT's home user security survey...

(UPDATE: H D Moore's PRNG Debian toys can be found here.)

This is a special newsflash edition of Risky Business, posting at 4pm on Wednesday May 14. Most listeners would be aware that a serious bug in Debian's random number generator has been patched overnight. Unfortunately, all keys generated by Debian systems (and by the looks of things Ubuntu systems as well) are completely useless and need to be regenerated.

That means you SSH and SSL content encryption AND authentication has been rendered ineffective. Not only are your server generated keypairs ineffective, any user-generated keypair made with a Debian or Ubuntu box and accepted by an SSH server is vulnerable.

H D Moore is currently working on what sounds like a rainbow table-style attack which will allow him to brute force authentication over SSH in 2.5 to 6 hours. Because of the rainbow table nature of the attack, it also means he can decode intercepted packets in a matter of seconds.

Risky Business spoke to H D Moore via a VoIP line to his mobile phone in Texas, where he's pulling a late night working on this...

UPDATE: Here's a quick script to re-generate your ssh keys, and display the fingerprint (dont forget to update your openssl first!!)

<br/> #!/bin/sh<br/> # debian damn you!<br/> # golden rule "dont write your own crypto - dont modify others!"<br/> # we're trusting /etc/ssh/* are not symlinks, etc etc.<br/> export SSHKEYGEN=/usr/bin/ssh-keygen<br/> export TIMESTAMP=`date +"%Y%m%d%s"` <p>mkdir /etc/ssh/backup 2>/dev/null</p> <p>mv /etc/ssh/ssh_host_rsa_key /etc/ssh/backup/ssh_host_rsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/backup/ssh_host_rsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>mv /etc/ssh/ssh_host_dsa_key /etc/ssh/backup/ssh_host_dsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/backup/ssh_host_dsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>$SSHKEYGEN -l -f /etc/ssh/ssh_host_rsa_key<br/> $SSHKEYGEN -l -f /etc/ssh/ssh_host_dsa_key<br/> </p>

This week's Risky Business podcast is brought to you by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

In this week's show we speak to one of the pioneers of cash-for-vulnerability business practices -- David Endler. He's the director of TippingPoint's DVlabs and the founder and chairman of the VoIP Security Alliance. He popped by to talk about the latest trends in bug shopping.

Of particular interest is what Endler has to say about buying bugs in software-as-a-service applications like Salesforce.com. While TippingPoint would look at buying vulnerabilities in online applications, he doesn't want to be seen to be encouraging any law breaking. It's a bind!

On this week's podcast:

• ZDNet Australia editor Munir Kotadia discusses the week's news with host Patrick Gray
• TippingPoint DVlabs director David Endler discusses the market for software as a service bugs
• Check Point's Steve MacDonald drops by to share his perspective on recent comments made by RSA Security's president Art Coviello in this week's sponsor interview